Massive DDoS Assault Launched From Anti-DDoS Servers

A new type of denial-of-service attack is ironically drawing upon the resources of services intended to guard against such dangers

US security firm Incapsula has reported a massive DNS distributed denial-of-service (DDoS) attack on one of its customers – ironically, launched from the servers of two providers of anti-DDoS services.

The attack, far from being an isolated incident, is part of a dangerous emerging trend, according to the company – that of using DNS floods, which it says can bring down even highly resilient networks.

Growing trend

The company said the attack, carried out against an online gaming firm’s network, originated from networks in China and Canada.

“We were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China,” the company said in a statement. “All told, these were hitting our network at a rate of 1.5 billion DNS queries a minute, amounting to over 630 billion requests during the course of the seven-hour long DDoS attack.”

Incapsula said the attack was similar to others carried out against its own network, as well as DNS floods that have recently affected companies including UltraDNS.

“We are now convinced that what we are seeing here is an evolving new trend,” the company stated.

The attack peaked at approximately 25 million packets per second, Incapsula said. It was carried out by attackers who used the powerful server infrastructure intended for anti-DDoS activities to send out the attack traffic. The parties involved were dropped from the services after Incapsula’s investigation.

“This is the first time we encountered ‘rogue’ scrubbing servers used to carry out large-scale DDoS attacks,” Incapsula stated. “This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous. DDoS protection services, with their proximity to the Internet’s backbone and wide traffic pipes, are specifically designed for high capacity traffic management. This, combined with the fact that many vendors are more concerned with ‘what’s coming in’ as opposed to ‘what’s going out’, makes them a good fit for hackers looking to execute massive non-amplified DDoS attacks.”

Defence difficult

DNS floods are relatively rare, because they are not amplified, meaning that massive computing resources are required to carry them out. That contrasts with the more common DNS amplification attacks, which are “asymmetrical”, meaning that a relatively small network of computers can launch a large-scale attack.

However, DNS amplification attacks are also relatively easy to defend against, Incapsula said.

“This isn’t the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level,” the company stated. “DNS floods have the potential to bring down even the most resilient of networks. Thankfully, this potential is usually capped by the capacity of the attacker’s own resources.”

That is why the recent attack is so worrying, according to Incapsula – it demonstrates that, in fact, such high-powered resources can be easily available to attackers in the form, ironically, of anti-DDoS server networks.

“In this case, the security vendors played right into the hackers’ hands, by equipping them with high-capacity resources, able to generate billions upon billions of unfilterable DDoS requests – enough to pose a serious threat to even to the most overprovisioned servers,” Incapsula wrote.

One third of UK companies recently surveyed by Neustar say they were hit by DDoS attacks last year, that resulted in estimated losses of £240,000 per day. The majority of firms said they were ill-equipped to deal with such attacks.

Nearly a quarter of IT managers simply don’t know how secure their website is.1 However, with the number of web-attacks blocked per day rising from 190,370 to 247,350 between 2011 and 2012, it’s vital for businesses to understand the part their website plays in the distribution of malware to clients, customers and the wider online […]

Akamai’s globally-distributed Intelligent Platform allows us to gather massive amounts of data on many metrics, including connection speeds, attack traffic, network connectivity/ availability issues, and IPv6 adoption progress, as well as traffic patterns across leading Web properties and digital media providers. Each quarter, Akamai publishes the State of the Internet Report.

WHY SHOULD I READ THIS GUIDE? The data center perimeter is dead. But its memory lives on in the way many IT departments continue to secure their infrastructure. The meteoric rise of the Internet brought with it an ever-changing landscape of new attacks and completely disrupted organizations’ old models of guarding their IT infrastructure.

A quick look at why authentication, authorization and accounting – or AAA and RA DIUS – were developed can easily take you back more than a decade. Acronyms and phrases like modems, roaming between ISPs, UNI X, and AOL come to mind. Users had one device and were chained to wired desktops. And IT managed […]

I’m sceptical that the anti-DDoS networks protecting the gaming sites were the real source. I’ve seen cases of mistaken identity involving very similar sites before (see for example “Looking for packets from three particular subnets” on the SANS diary). A Distributed Reflected Denial of Service attack (DRDoS) will have a spoofed source IP, whether it is DNS-based (from port 53), other UDP (eg NTP), or TCP SYNs (often from port 80 or known server port), so the origin botnet can only be found by large-scale analysis of network flows and Ethernet headers or honeypots.